Data PrivacyData Privacy Concerns in the Automotive Industry

INTRODUCTION

With the advancement of technology, the Automotive industry has recognised the indispensability of constant creativity and innovation to thrive in this highly competitive market. To enhance safety, improve the driving experience, ensure comfort, and increase efficiency, updated software applications are being integrated into vehicles, necessitating their computerization and connectivity. The prominent examples include Android Auto from Google and Apple Car play.

In the realm of the automotive industry, particularly in modern vehicles, innovation involves a complex system comprising numerous interconnected embedded computers, actuators, and sensors, often known as Advanced Driving Assistance Systems (hereinafter referred to as “ADAS”).

Although the adoption of these applications offers numerous benefits to both the automotive sector and consumers, it also presents significant challenges to security and privacy due to the enabling technological innovation.

RISK OF BREACH OF DATA PRIVACY AND CYBERSECURITY

Until recently, the implementation of applications and platforms within vehicles was primarily focused on control systems, with limited communication with the external world. However, the concept of a vehicle as an isolated entity is no longer applicable within the realm of intelligent transport systems.

Information sharing has become crucial for numerous advanced applications. Vehicles now necessitate communication with various entities, including personal devices, other vehicles, road-side infrastructure, and the Internet. As a result, modern vehicles encompass three primary domains. In-vehicle systems, which were originally created for control system applications, have now expanded to support ADAS and telematics functions. Vehicular Ad Hoc Networks (hereinafter referred to as “VANETs”) serve as ad hoc communication networks connecting vehicles and facilitating collaborative ADAS and telematics applications with road-side infrastructure. Lastly, Internet-based applications predominantly revolve around telematics purposes.

Smart vehicles continuously gather data surrounding them, along with the behaviour of the driver. This data comprises driving-related information, daily start times, GPS navigation systems, and Bluetooth connections with mobile devices for features like contact storage and dialing, among others.

Additionally, it may include details such as location, voice commands, search history, previously travelled routes stored in your driving history, driving patterns, traffic conditions, and more. Third-party applications connected to the vehicle also collect similar data. This information is stored within the vehicle’s onboard computer or other storage systems and is utilised to enhance the driving experience and enable companies to provide improved services.

When smart vehicles connect to the Internet, data can be shared with other devices and systems. The rise of connected and autonomous vehicles will lead to increased data collection by automakers. However, this also brings a higher risk of data breaches and hacking.

Even advanced security measures like encryption can be compromised, and anonymized data can be re-identified if personal user information, like license plate numbers, is accessed. This raises concerns about data protection, privacy, and permissible access to vehicle data.

These data privacy trends have significantly impacted the automotive sector, with stakeholders prioritising safety and performance controls.

REGULATIONS TO PREVENT THE BREACH

In June 2020, WP.29 was introduced by the World Forum for Harmonisation of Vehicle Regulations, a United Nations Economic Commission for Europe’s (hereinafter referred to as “UNECE”), Sustainable Transport Division working party.

It has adopted a new international automotive cybersecurity norm to pave the road for connected vehicles and reduce cybersecurity risks to passenger vehicles. The regulation creates cybersecurity and software update management performance and audit criteria for new passenger vehicles sold in the European Union and dozens of other countries. UN Regulation No. 155 on Cyber Security and Cyber Security Management Systems is the first international regulation specifically designed to govern the cybersecurity of modern vehicles. This regulation imposes several requirements, including the obligation for automakers to conduct vehicle cybersecurity risk assessments and to monitor and report security incidents.

Additionally, UN Regulation No. 156 on Software Updates and Software Update Management Systems has established a set of standards for software updates, including over-the-air updates, with the aim of mitigating cybersecurity risks.

Data protection laws, including the EU’s General Data Protection Regulation (hereinafter referred to as “GDPR”) and the California Consumer Privacy Act (hereinafter referred to as “CCPA”), provide safeguards for personally identifiable information.

In Germany, car manufacturers have taken proactive measures. The Verband der Automobilindustrie (hereinafter referred to as “VDA”), an automotive group, has developed an Information Security Assessment (hereinafter referred to as “ISA”) based primarily on international standards ISO/IEC 27001 and 27002. To facilitate compliance audits, the VDA has established the Trusted Information Security Assessment Exchange (hereinafter referred to as “TISAX”) as an assessment and exchange platform.

These laws and standards enforce various cybersecurity best practices for vehicle manufacturers and their business partners. Noncompliance can lead to substantial financial penalties under regulations like GDPR and CCPA.

DATA PRIVACY BREACH BY AUTOMOBILE COMPANIES

Tesla

Tesla recently faced data protection failures that resulted in complaints from customers regarding the driver assistance system provided in Tesla cars. The incident involved the exposure of data known as the “Tesla Files”.

The leaked data also included private email addresses, phone numbers, employee salaries, customer bank details, and confidential production information.

It was found that earlier, between 2019 and 2022, Tesla employees were found to have shared private customer videos using the company’s internal messaging systems.

Following an investigation by a Dutch privacy regulator, the company agreed to modify camera settings that recorded videos while the vehicles were turned off. The regulator had determined that these cameras violated privacy regulations outlined in the GDPR.

While the cameras in Tesla vehicles serve useful purposes by enabling impressive features, the growing collection of visual data raises concerns over privacy. Videos often contain identifiable information such as faces, addresses, and sensitive metadata.

The responsible management of this visual data is crucial, as Tesla has learned through their own experiences, videos can be misused with serious consequences.

Jeep

In 2015, a lawsuit was filed by three car owners against the U.S. subsidiary of an Italian-controlled carmaker and Harman International Industries, a subsidiary of Samsung Electronics Co. The lawsuit specifically concerned the Uconnect infotainment system installed in Ram, Dodge, Jeep, and Chrysler trucks.

According to the lawsuit, the infotainment system exhibited vulnerabilities that enabled cyber criminals to access and assume control over critical safety functions, such as acceleration, braking, steering, and ignition. The issue gained significant attention when researchers successfully hacked a moving Jeep Cherokee.

The Uconnect software, which is equipped with an Internet connection, possessed a security flaw that allowed hackers to remotely access and take control of various systems within the car. Unlike other cyberattacks that solely target the entertainment system, the Uconnect hack impacted multiple driving systems, including GPS, windscreen wipers, steering, brakes, and engine control.

Since late 2013, the FCA group has installed the Uconnect system in hundreds of thousands of cars, enabling owners to remotely start their vehicles, unlock doors, and activate the headlights using a mobile app.

AMLEGALS REMARKS

Data privacy and protection regulations serve to safeguard customer information against unauthorised access and misuse. These regulations commonly necessitate companies to uphold the confidentiality and security of customer data, ensuring that only authorised personnel have access to it.

Navigating cybersecurity threats and mitigating the risk of sanctions under the data protection law are crucial for automotive companies. These companies adhere to the principles of data protection by design and by default.

This entails designing technologies in a way that minimises the collection of personal data, incorporating privacy-protective default settings, and ensuring that Data Subjects are well-informed and empowered to modify their personal data configurations easily.

Furthermore, it is important to assess and address supply chain risks by incorporating audit clauses, mandating testing procedures, and implementing cyber security best practices and standards. State-of-the-art technology and tools should be utilised to enhance security measures.

Lastly, regular reviews and updates of technical and organisational measures should be conducted to align with existing systems and technologies.

With the increasing adoption of video surveillance and recording technologies by companies, it is crucial for them to be aware of the associated risks and proactively address them. This entails the implementation of transparent privacy policies, regular assessment of access controls, vigilant monitoring, and the anonymization of such footage. By adhering to these measures, companies can safeguard their customers’ privacy rights and uphold their commitment to privacy protection.

– Team AMLEGALS assisted by Ms. Prarthi Shah (Intern)